Least Authority Performs Incentive Analysis For Ethereum
Our mission at LeastAuthority is to bring verifiable end-to-end security to everyone.
As part of that mission, in addition to operating the S4 secure storage service, we also run a security consulting business. We LeastAuthoritarians have extensive experience in security and cryptography, and other companies sometimes hire us to analyze the security of their protocols and software.
Our most recent consulting client is Ethereum.
Ethereum is innovating in many ways, both in the technical design of the cryptocurrency itself, and in their engineering process. As part of the testing phase building up to Ethereum's release, they are performing a large scale security audit, involving contributions from many independent investigators, including Least Authority.
Our contribution is not a “security audit” per se, although we did find and report some implementation-specific bugs.
Instead, we took an in-depth critical look into two fundamental and innovative aspects of Ethereum's design: the new proof-of-work puzzle, Ethash, and the gas mechanism. Both of these features are inherently incentive-oriented. The proof-of-work puzzle is designed to encourage a large number of independent users to participate, yet to discourage "mining centralization" which is currently rampant in Bitcoin. For example, it would be considered a severe failure of the incentive mechanism if, in a year following Ethereum's release, there turns out only to be a single large Ethereum miner, crowding out other potential miners! Similarly, the gas mechanism is about encouraging users to make efficient use of common resources (e.g., storage in the blockchain and compute cycles available to validate transactions). For both of these, we're interested in answering similar questions: are the incentives of users well aligned? Can a greedy attacker profit by deviating from the protocol?
This has been fun for us because we've gotten to study in very close detail several aspects of how Ethereum works, and gotten to see their engineering process in action. We're impressed with many aspects of their engineering process, such as how all the work is done "in the public", so we could follow along as they release in-development code. Also they have several different implementations in different languages, by different teams. Lots of bugs are caught that way.
Today we're releasing our final report, which summarizes our findings and explains the steps Ethereum has taken in response. In general, we found the Ethereum virtual machine and gas mechanism to be well designed, and most of the hazards in contract composition are readily fixed. Based on our cost analysis of hardware configurations, the Ethash puzzle is likely to be GPU-friendly with minimal potential for improvement using customized hardware designs. As supplemental materials we also include tools for visualizing the storage trie structure and demonstrations of attacks using pyethereum as a simulator.
View our final report here.